The Industry Speaks: World Identity Management Day 2026

The emergence of agentic identity security adds another dimension to all of this. AI agents are now accessing systems, making decisions, and acting on behalf of organisations, and the identity conversation has expanded from how we authenticate users to how we ensure an agent gets precisely the access it needs and nothing more, while continuously verifying it stays within those boundaries.

Doing that well requires real-time correlation of identity events across your SSO provider, cloud IAM, application logs, and privileged access tools at a speed and scale that most traditional SIEM platforms weren't designed to handle. Protecting identities in 2026 means protecting every identity: human, machine… and agent.

John Cannava
CIO at Ping Identity

From an IT leadership perspective, Identity Management Day takes on new urgency this year as both individuals and organisations are managing human identities while also governing AI as it takes on increasingly agentic roles. The impact AI will have on identity will likely be far greater than we anticipate, which means our approach to security has to evolve in lockstep.

In this new reality, the login is no longer the primary security boundary - access must be continuously evaluated and enforced. In agentic systems, risk doesn’t end at sign-in; it evolves dynamically at runtime as users and systems interact. Identity can no longer be verified once and trusted indefinitely. It must be continuously evaluated at every high-impact action.

That’s why approaches like zero trust and decentralised identity are becoming critical to reducing risk while still enabling the business to move quickly. As AI-driven attacks increasingly target centralised data and try to imitate legitimate users, organisations need to move away from single points of failure and verify every access request in real time, no matter who or what is behind it. This requires rethinking identity across both workforce and customer environments.

VIEW ALL

As the way we work continues to change, the focus has to be on securing the workforce, maintaining customer trust, and delivering digital experiences that are both seamless and secure. The future of identity will depend on how well we adapt to this more dynamic, continuous model of trust.

Art Gilliland
CEO of Delinea

Identity doesn’t stop at people. Non-human identities, particularly AI agents, are quickly becoming one of the biggest sources of enterprise risk. Despite 83% of Australian organisations claiming they’re ready for AI-driven automation at scale, 40% admit their identity governance for AI systems falls short. The problem is relatively simple but often overlooked: teams are still treating AI agents as tools, when they actually behave like privileged users. This creates the “AI security paradox” where organisations are scaling their AI initiatives faster than they control which identities get access to what. Dangerous blind spots can form as a result, hiding unchecked privilege, quiet access paths, and little accountability for actions. The pressure to move fast on AI is real, but so is the need to lock down identities. As AI agents continue to multiply across enterprise environments, identity can’t be viewed as just another part of security; it must be treated as the overarching control plane.


Anthony Daniel
Managing Director, Australia, New Zealand and the Pacific Islands, at WatchGuard Technologies

Most cybercriminals don’t hack into systems anymore, they simply log in.

Attackers are increasingly exploiting identity to gain access, using stolen credentials, encrypted channels and legitimate tools to blend into trusted environments. Once inside, they move laterally across systems without raising alarms, rendering traditional defences ineffective. As highlighted in WatchGuard’s Internet Security Report, there has been a 1,548 per cent surge in new, unique malware alongside a rise in threats designed to evade detection. With 96 per cent of malware now delivered over encrypted channels, visibility is shrinking while attacker capability continues to grow.

This Identity Management Day, organisations need to shift the conversation from access management to identity risk management. That means continuously assessing behaviour, context and intent, and connecting identity with endpoint and network signals to detect compromise earlier. In an environment where attackers can appear indistinguishable from legitimate users, identity is no longer just part of the attack chain, it is where it begins and where it must be controlled.

Sean Deuby
Principal Technologist at Semperis

The sixth Identity Management Day highlights the evolving nature of identity.

The meteoric rise of AI in general and its impact on nonhuman identities (NHIs) has focused attention on identity security as never before. But in the long view, it simply highlights the same issues we have seen in identity management since it was called “identity management.” And discovery has always been a part of it.

Enabling the business has always been the priority for IT. Managing the identity pieces you have created for the business has not, because e it does not directly benefit the business.

Do you need this group created, populated, and added to an application? Sure. Do you need this service account immediately? Right away. Let’s give it some extra privileges because we know we will not have to troubleshoot permission problems in the future.

But ask yourself: how often have you seen “Please remove this account because we’re not using it anymore”? Rarely. Unless you’re a regulated business, identity governance and administration (IGA) is usually an afterthought. This has been the reality of IT as long as there’s been IT.

I lump this into the identity security category I call “eat your vegetables”: you know it’s good for you, but you don’t do it enough. Even after 26 years of general availability, identity governance is far from a given in Active Directory environments, especially smaller ones.

Since identity systems such as Active Directory have very long lifespans, these daily decisions accumulate over years or decades of production. Organisations find they have thousands or tens of thousands of under-regulated NHIs (we call them service accounts on premises). This is one of many reasons identity systems are a favourite target of threat actors; they know very well these NHIs are overprivileged, underprotected, and neglected.

Take these same factors, surround them with the tinder of cloud services’ ease of use, pour the gasoline of AI onto it, and give developers the match. That’s the dumpster fire we’re looking at today, with NHIs outpacing human identities at what seems like a geometric progression. We’re right to be concerned.

How does “finding identity” fit into this? We can’t just wring our hands about the situation; we need to take steps immediately. We must put controls in place as soon as possible. And we must discover what’s already out there, using any tools we have, so we know the scope. You don’t know the size of your dumpster fire until you’ve looked.

Nam Lam
Group Vice President, Australia and New Zealand, at SailPoint

World Identity Management Day is a moment to ask an honest question. Is the way we think about identity keeping pace with the world we are actually operating in?

For most organisations, the answer is no. Identity security has traditionally been treated as a static discipline. You grant access, you review it periodically, and you hope nothing changes too dramatically in between. But the enterprise of 2026 is anything but static. Workforces shift constantly, and applications multiply into the thousands. AI agents are proliferating across business units at a pace that outstrips any governance programme built for the human era.

The result is a growing gap between what organisations think they have under control and what is actually happening across their identity landscape. In Australia and New Zealand, that gap carries real regulatory, financial, and reputational consequence.

Part of the problem is how we still define risk. In the past, privileged access belonged to a select few. Today, a payroll bot approving salary runs or a junior analyst with API access to sensitive data can each trigger significant impact. Risk no longer lives in job titles. It lives in context, and that is precisely what static governance was never designed to read.

What this day should prompt is a shift in mindset to embrace an adaptive identity security model. Static controls tell you who had access last year. Adaptive identity security tells you whether the access being requested right now, in this context, by this identity, at this hour, makes sense and acts accordingly. It is also the layer that makes zero trust work in practice. Many Australian organisations have embraced zero trust in principle but struggle to operationalise it, because architecture alone cannot enforce least privilege dynamically. Adaptive identity security provides that enforcement.

SailPoint's own research makes the urgency clear. 82% of enterprises are already using AI agents, yet fewer than half have governance policies to manage them. 75% of machine identities have no designated owner. Each one represents an access pathway that nobody is watching.

The tools to address this exist today. Real-time risk scoring, just-in-time access, continuous authorisation, and unified visibility across human and non-human identities are well within reach, and the organisations investing in them are moving faster, complying more confidently, and recovering more quickly when threats materialise.

Identity security is not a control function. It is the foundation on which a secure, resilient, and agile enterprise is built. World Identity Management Day is a prompt to treat it that way.